Can you use gzip over SSL? And Connection: Keep-Alive headers

Question

I\'m evaluating the front end performance of a secure (SSL) web app here at work and I\'m wondering if it\'s possible to compress text files (html/css/javascript) over SSL.

Answer 1

Using compression with SSL opens you up to vulnerabilities like BREACH, CRIME, or other chosen plain-text attacks.

You should disable compression as SSL/TLS have no way to currently mitigate against these length oracle attacks.